Software Security and Quality Assurance (SSQA) Framework Guidance Understanding the SSQA Framework Page 1 of 59 Title: Software Security and Quality Assurance (SSQA) Framework Guidance Version: 1.0 Classification: PUBLIC Document Control Approval Name Role Date of Approval Version Number NISCF Compliance Ashraf Ali-Ismael 08/10/2018 1.0 Manager This guidance document is owned by Ministry of Transport and Communications (MOTC) who shall update as necessary. Page 2 of 59 Title: Software Security and Quality Assurance (SSQA) Framework Guidance Version: 1.0 Classification: PUBLIC Table of Contents Introduction .................................................................................................................................................. 6 Software Security and Quality Assurance Framework ................................................................................. 8 Aligning the SSQA with the National Information Assurance Framework (NIAF) ........................................ 9 Understanding the Framework ..................................................................................................................10 The Software Security Framework .............................................................................................................11 Governance ............................................................................................................................................11 Intelligence .............................................................................................................................................11 SSDL Touchpoints ...................................................................................................................................12 Deployment ............................................................................................................................................12 Objectives, Activities & Metrics ..............................................................................................................13 Maturity Ratings .....................................................................................................................................13 Reading the Objectives and Activities Table ..........................................................................................14 Governance ................................................................................................................................................15 Strategy and Metrics ..............................................................................................................................15 Compliance and Policy ............................................................................................................................16 Training ...................................................................................................................................................17 Intelligence .................................................................................................................................................18 Attack Models .........................................................................................................................................18 Security Features and Design .................................................................................................................19 Standards and Requirements .................................................................................................................20 SSDL Touchpoints .......................................................................................................................................21 Architecture Analysis ..............................................................................................................................21 Code Review ...........................................................................................................................................22 Security Testing ......................................................................................................................................23 Deployment ................................................................................................................................................24 Penetration Testing ................................................................................................................................24 Software Environment ............................................................................................................................25 Configuration Management and Vulnerability Management ................................................................26 What is a Software Security Group (SSG)? .................................................................................................27 What is meant by a Satellite? .....................................................................................................................27 Roles and Responsibilities ..........................................................................................................................28 Appendix: SSQA Domains, Practices and Activities ....................................................................................31 Page 3 of 59 Title: Software Security and Quality Assurance (SSQA) Framework Guidance Version: 1.0 Classification: PUBLIC Legal Mandate(s) Emiri decision No. (8) for the year 2016 sets the mandate for the Ministry of Transport and Communication (hereinafter referred to as “MOTC”) provides that MOTC has the authority to supervise, regulate and develop the sectors of Information and Communications Technology (hereinafter “ICT”) in the State of Qatar in a manner consistent with the requirements of national development goals, with the objectives to create an environment suitable for fair competition, support the development and stimulate investment in these sectors; to secure and raise efficiency of information and technological infrastructure; to implement and supervise e-government programs; and to promote community awareness of the importance of ICT to improve individual’s life and community and build knowledge- based society and digital economy. Article (22) of Emiri Decision No. 8 of 2016 stipulated the role of the Ministry in protecting the security of the National Critical Information Infrastructure by proposing and issuing policies and standards and ensuring compliance. This guideline has been prepared taking into consideration current applicable laws of the State of Qatar. In the event that a conflict arises between this document and the laws of Qatar, the latter, shall take precedence. Any such term shall, to that extent be omitted from this Document, and the rest of the document shall stand without affecting the remaining provisions. Amendments in that case shall then be required to ensure compliance with the relevant applicable laws of the State of Qatar. Page 4 of 59 Title: Software Security and Quality Assurance (SSQA) Framework Guidance Version: 1.0 Classification: PUBLIC References • [IAP-NAT-DCLS] National Information Classification Policy • [IAP-NAT-IAFW] Information Assurance Framework • [NIAF-SSQA-S-SSL1] – SSQA Level 3 Software Security Standard • [NIAF-SSQA-S-SSL2] – SSQA Level 3 Software Security Standard • [NIAF-SSQA-S-SSL2] – SSQA Level 3 Software Security Standard A glossary of terms is defined within the Information Assurance Framework, [IAP-NAT-IAFW]. Page 5 of 59 Title: Software Security and Quality Assurance (SSQA) Framework Guidance Version: 1.0 Classification: PUBLIC Introduction An ever-increasing reliance upon digital services and technology coupled with the ongoing discovery of weaknesses, which threaten the confidentiality, integrity and availability of digital services and the data; presents an ongoing challenge for organizations and governments worldwide. It is therefore important to make sure that the software applications used by these entities are as secure as possible, ensuring that security has been considered within development or procurement efforts and also ensuring that such concerns are considered as part of outsourced development efforts by third-parties. Secure development is a practice to ensure that the code and processes that go into developing applications are as secure as possible. Secure development practices consider security during each development phase or stage, regardless of chosen development methodology. Within the context of software security, secure development considers the application of secure coding practices to transform the traditional Software Development Lifecycle (SDL) into a Secure Software Development Lifecycle (SSDL). This guidance document describes the Software Security and Quality Assurance (SSQA) Framework, integrated within the National Information Assurance Framework (NIAF) and describes how the domains, practices and activities help to support the ideal of developing and sourcing secure software solutions to enable the State of Qatar to thrive as a digital nation. Page 6 of 59 Title: Software Security and Quality Assurance (SSQA) Framework Guidance Version: 1.0 Classification: PUBLIC Scope This standard applies to all Agencies, engaged in the development or implementation of software solutions, including those which outsource or procure software or digital services. Purpose This guidance document aims to introduce constituents to the Software Security and Quality Assurance (SSQA) Framework, outlining